Problem:

If you try to copy an encrypted RDS snapshot between regions, you may encounter the following error in your Skeddly log:

E:8/19/2019 11:13:00 AM [15]: Error executing request: The KMS key encrypting source snapshot <snapshot ID> doest not exist, is not enabled or you do not have permissions to access it.

When an RDS snapshot is copied across regions, the snapshot must be decrypted by AWS using the original KMS key, then re-encrypted in the target region using the new KMS key.

This error may occur:

  1. When the IAM credentials used by Skeddly to access your AWS account does not have permissions to access the KMS key used to encrypt the source RDS snapshot, and/or
  2. AWS was not given permissions to access the KMS key.

Solution:

To resolve this issue, there are 2 possible options.

Option 1: Allow the IAM role/user used by Skeddly to access the KMS key

  1. Find the KMS key used to encrypt the source RDS snapshot in the IAM Management Console.
  2. Modify the "Key Policy" of the KMS key to allow the IAM role/user to "allow use of the key". You do this by adding your IAM role/user to the "Key users" section.

Note: The same should be done with the KMS key used in the target region.

Once the user is allowed to "use" the KMS keys, the RDS snapshot should copy correctly.

Option 2: Allow the IAM role/user used by Skeddly to execute kms:CreateGrant 

  1. In the IAM Management Console, find the IAM role/user used by Skeddly.
  2. Add a new "Inline Policy" to the user with the following JSON body:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateGrant",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*"
        }
    ]
}

This policy will allow the IAM role/user to grant permission to AWS to use the KMS key.

With this policy applied to the IAM role/user, the RDS snapshot should copy correctly.

Did this answer your question?